The changelog for the latest version of the plugin MaxGalleria is “Added security enhancements”. Looking at the changes made in that version we saw that sanitization was added on some user input when editing images. By default users with the Author role and above can access the plugin’s functionality to edit images. With higher level users, they normally have the “unfiltered_html” capability, which permits them to do the equivalent of cross-site scripting (XSS), but Author level users they don’t. In checking on this we found that Author level users could previously place malicious JavaScript code in at least the Alternate Text and Link fields of images and that would then be output on admin pages, which would be an authenticated persistent cross-site scripting (XSS) vulnerability.

…

[Read more]